Solved: ISE update URL's

ksastoqu · ‎07-17-2019

Hello All,

I would like to confirm, what are the IP addresses expected to be resolved when using the URL for posture updates

https://www.cisco.com/web/secure/pmbu/posture-update.xml ?

Recently, that URL is resolving to these IP addresess:

o   52.222.129.243

o   23.46.80.149

In order to allow IP addresses or URLs for ISE to perform posture updates, in for example, a firewall. Are there any other IPs that should be allowed? Customer is allowing FQDN on the firewall.

hslai · ‎07-20-2019

www.cisco.com is being resolved to different IP addresses, depending on the ISP and the geo region.

This particular feed URL is then redirecting to https://iseservice.cisco.com/ise/posture-update.xml. Similarly, the DNS resolution for this host "iseservice.cisco.com" may differ.

Most firewalls allow inputting FQDN hostnames in ACLs. If not supported, please ask to put the current resolved IP addresses at the customer site(s).

View solution in original post

ksastoqu · ‎07-17-2019

Customer is not using proxy, by the way.

hslai · ‎07-20-2019

www.cisco.com is being resolved to different IP addresses, depending on the ISP and the geo region.

This particular feed URL is then redirecting to https://iseservice.cisco.com/ise/posture-update.xml. Similarly, the DNS resolution for this host "iseservice.cisco.com" may differ.

Most firewalls allow inputting FQDN hostnames in ACLs. If not supported, please ask to put the current resolved IP addresses at the customer site(s).

ksastoqu · ‎07-22-2019

Thanks.

So the customer already has FQDNs allowed on his FW, but the only way it works is when he adds a line as "permit any". After he removes this line from his FW, Posture Updates stop working.

Could it be that the FQDN is not working properly on his FW?

hslai · ‎07-22-2019

The FW needs also allowing HTTPS connections to iseservice.cisco.com. If it still not working, then please monitor the FW and see why it not allowing the retrievals.